Access Control Flaw in OpenStack Image Registry for Glance by OpenStack
CVE-2013-4428

Currently unrated

Key Information:

Vendor: Openstack
Status: Glance
Vendor: CVE Published:; 27 October 2013

Summary

The OpenStack Image Registry and Delivery Service (Glance) has an access control flaw that allows remote authenticated users to gain unauthorized access to cached images. This issue arises when the download_image policy is misconfigured, enabling users to read otherwise restricted images simply by utilizing the image UUID. Affected versions include Folsom, Grizzly prior to 2013.1.4, and Havana prior to 2013.2. Organizations using these versions should take immediate steps to assess and mitigate the risk.

References

http://rhn.redhat.com/errata/RHSA-2013-1525.html

vendor-advisoryx_refsource_REDHAT

http://www.ubuntu.com/usn/USN-2003-1

vendor-advisoryx_refsource_UBUNTU

https://launchpad.net/glance/+milestone/2013.1.4

x_refsource_CONFIRM

Timeline

Vulnerability published
Oct 27, 2013
Vulnerability Reserved
Jun 12, 2013